9 th Colloquium for Information Systems Security Education United States Military Academy, West Point, New York 7 - 10 - PowerPoint PPT Presentation

9 th Colloquium for Information Systems Security Education United States Military Academy, West Point, New York 7 - 10 June 2004 www.ncisse.org. 5th Annual IEEE Information Assurance Workshop “The West Point Workshop” United States Military Academy, West Point, New York 10-11 June 2004

Copyright Complaint Adult Content Flag as Inappropriate

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

PowerPoint Slideshow about '9 th Colloquium for Information Systems Security Education United States Military Academy, West Point, New York 7 - 10' - deliz

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

The Software provides you the opportunity to access content for no charge. In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to PSD Tools .... In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or “buddy” list regarding Content offered by PSD Tools or its suppliers.

I'd like to point out that the majority of the problems we have had have two things in common. In fact, I would say that these are two necessary conditions for every mail-based worm we have seen in the past couple of years, and at least one of the two is necessary for all the others:

They include an executable for Windows

They are based on an executable encoded using MIME in email

Those of us on machines running Solaris, HP/UX, MacOS, BSD, Linux, etc have simply had to deal with all the extra email fallout, but the Malware has not established itself on our machines.

There are fundamental architectural problems in Windows that makes these kind of things work so well (from the attackers' point of view). I don't believe they are being addressed as part of the MS security push, either. So, one way to protect yourself from these attacks is to consider a switch to another OS, at least for machines that handle email.

That's not to say that other operating systems aren't susceptible to viruses -- they are. However, those other systems don't allow general user accounts such unfettered access to structures and resources that make worms so easy to establish, insert deeply into the system, and propagate so quickly.

As to the second point, if we simply start blocking any executable content attachments, we will do a lot to stop these kinds of things (not to mention recover disk space and bandwidth, cut down on trojans, and reduce the number of pranks users play on each other). I block .(com|cmd|exe|pif|scr|bat) files on general principle. I also bounce .doc files, and I am now bouncing .zip archives. This has never caused me any real difficulty in collaboration with others. If anything, it has cut down on the junk people simply mail because it is easy. Sending around 50K files for a 3 line memo is a waste of resources.

ANY executable type routinely sent via email is going to result in a danger. Our community has established that we can't train our users to avoid clicking on attachments. It is also clear that the anti-virus programs, as a rule, don't catch all the new malware. So, let's be proactive and simply shut down the vector -- stop allowing users to send executables in email.

I've expressed this before on this list and been mildly flamed for suggesting that people stop exchanging dangerous file types. However, I'm sure that most (if not all) of those who were so quick to criticize my advice have also had to clean up multiple instances of malware since. To me, it's like walking in a 1970s restaurant and suggesting that people stop smoking because it is harmful to everyone there. After being booed out, I've been enjoying the fresh air and watching all the smokers cough and succumb to repeated lung diseases. The addicts are so far gone they can't envision what it is like to be free of the addiction so they argue with anyone who suggests they can.

I average over 200 email messages a day (NOT counting spam). In 25 years online, I have never had a computer virus or worm on my personal machines, with the exception of the Morris Worm in 1988. I do not have any anti-virus software scanning my email, either. It's not rocket science: I use a Mac, and I don't open or accept executable attachments unless I have prearranged for them and know what they are. I use a mailer that doesn't auto-open attachments. I don't use Word. So long as people want to put patches on fundamentally unsound software and procedures, problems will continue. If we want to really make a change, it requires actually *changing* things rather than putting new patches in place.

> But, there are Linux trojans and worms (do google searches of slapper

> and bliss, for example). It's been 17 months since any made headlines

> (an eternity in Internet years), but they do exist. In addition, some

> windows viruses can infect applications run under WINE.

I was around for slapper. and Bliss and Lion. and for *MORRIS*, for that matter.

So nobody needs to tell me "they do exist". However, security is about trade offs - what's your best payback for effort, and are you spending more on security than you're likely to lose?

Which is more likely to produce *effective* results:

1) Buying an A/V package for a single-user Solaris workstation that scans for PC viruses (when the box isn't even a mail or file servers).

2) Buying an A/V package for that Solaris box that scans for Solaris viruses and worms.

3) Shelling out for a copy of the SANS Step-by-step for Solaris and a copy of Tripwire (or a copy of the Center for Internet Security benchmark for Solaris and the freeware Tripwire, and a long afternoon, if your budget is tight). Won't stop many viruses, but will help with all the OTHER attacks that Solaris boxes *are* prone to...

Now, what can you conclude about the all-too-common site that blindly mandates (1) or (2), but *doesn't* require (3) just to connect to the network?

And as the original poster has *already* clarified, their site *does* realize the truly poor price/performance of Unix/Linux A/V and is willing to grant exemptions.

For a short period of time, our central mail servers were configured to delete executable attachments from email messages. As a result of complaints from faculty, IT management instructed us to find another way to deal with the potential risks of executable attachments in email.

are discarded. Executable attachments which are not identified as malicious are renamed by appending '_unknown' to the file name. For example, 'trojan.exe' becomes 'trojan.exe_unknown'. We rename based on the filename extension, and there are approximately 70 extensions on the list. During the 48 hour period ending at midnight last night, the servers renamed 253 attachments, including 135 .zip, 21 .dll, 17 .pif, 16 .scr, 16 .exe, and 15 .adp.

When an attachment is renamed, a MIME part is inserted at the top of the message advising the recipient that the attachment has been renamed and warning the recipient of the potential risks of executing files which arrive by email. The recipient can save the attachment as a separate file, rename it, and launch it, however, it will not be launched automatically by the user's email client. It is a compromise. We may deliver malicious content, but we make the user work to execute it.

It's pretty rare that people actually legitimately try to send a .exe file,

but when they do, they get a bounce back and can then deal with it by

zipping the .exe first - not a big deal, and it lets us reject most new

viruses before the signatures are even out. In the case of this latest

virus, because it came through zipped, it got through our virus scanner for

about 45 minutes. In that 45 minutes, many dozens of machines on campus got

infected by users who had forgotten the golden "don't open attachments" rule.